We introduce a natural cryptographic functionality called functional
re-encryption. Informally, this functionality, for a public-key encryption scheme
and a function F with n possible outputs, transforms (“re-encrypts") an
encryption of a message m under an “input public key" pk into an encryption of
the same message m under one of the n “output public keys", namely the public key
indexed by F(m).

In many settings, one might require that the program implementing the
functional re-encryption functionality should reveal nothing about both the input
secret key sk as well as the function F. As an example, consider a user Alice who
wants her email server to share her incoming mail with one of a set of n
recipients according to an access policy specified by her function F, but who
wants to keep this access policy private from the server. Furthermore, in this
setting, we would ideally obtain an even stronger guarantee: that this
information remains hidden even when some of the n recipients may be
corrupted.

To formalize these issues, we introduce the notion of collusion-resistant
obfuscation and define this notion with respect to average-case secure
obfuscation (Hohenberger et al. - TCC 2007). We then provide a construction of a
functional re-encryption scheme for any function F with a polynomial-size domain
and show that it satisfies this notion of collusion-resistant obfuscation. We
note that collusion-resistant security can be viewed as a special case of
dependent auxiliary input security (a setting where virtually no positive results
are known), and this notion may be of independent interest.

Finally, we show that collusion-resistant obfuscation of functional
re-encryption for a function F gives a way to obfuscate F in the sense of Barak
et al. (CRYPTO 2001), indicating that this task is impossible for arbitrary
(polynomial-time computable) functions F.